telliers Absent Member.
Absent Member.
834 views

NAM 4.2 or 4.3 and userapp 4.5.5 - SAML - OSP

Hi

I have a simple question:

We have a cluster UA 4.5.5, configured to authenticate by SAML on the OSP

On each UA, we have the OSP service.

Do you need a SP trust from NAM IDP to each UA/OSP with the real name of the machine, or only one SP trust on the commun url?

entityID = https://hostmane1:8443/osp/a/idm/auth/saml2/metadata
entityID = https://hostmane2:8443/osp/a/idm/auth/saml2/metadata

or

entityID = https://nam-public-url:8443/osp/a/idm/auth/saml2/metadata


Other info: NO LoadBalancer between NAM and UA

Thx

Serge
Tags (3)
0 Likes
1 Reply
Knowledge Partner
Knowledge Partner

Re: NAM 4.2 or 4.3 and userapp 4.5.5 - SAML - OSP

On 5/26/2017 4:44 AM, TellierS wrote:
>
> Hi
>
> I have a simple question:
>
> We have a cluster UA 4.5.5, configured to authenticate by SAML on the
> OSP
>
> On each UA, we have the OSP service.
>
> Do you need a SP trust from NAM IDP to each UA/OSP with the real name of
> the machine, or only one SP trust on the commun url?
>
> entityID = https://hostmane1:8443/osp/a/idm/auth/saml2/metadata
> entityID = https://hostmane2:8443/osp/a/idm/auth/saml2/metadata
>
> or
>
> entityID = https://nam-public-url:8443/osp/a/idm/auth/saml2/metadata


What seems to work best is to use a cert with SAN (Subject Alternate
Names) with all the hostnames, plus a general pretty name, and then
loadbalance the pretty name to the back end hosts.

Otherwise, they are independent SAML federations and not really
clustered or failoverable.

I.e. You hit hostname1, and federate, great, but if you hit hostname2,
re-auth again. Now NAM might do that quietly in the background, would
have to try that.

Say you hit hostname1 OSP. Not authed, so redirect to NAM IDP, login,
respond with SAML Response.

Then you hit a hostname2 URL, OSP sees no auth session, since they are
independant of each other, redirect to IDP, NAM sees you are already
authed, and just passes back a SAML Response.

So lots of screen flashing, but should work.





0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.